Fragmentation of IKE Packets

Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

• You must be using Cisco IOS software Release 12.4(15)T7 or a later release.
• The Easy VPN software client must be configured to support Network Address Translation Transversal (NAT-T) or TCP transport for the client to send the fragmentation vendor-ID.

• IKE fragmentation must be proposed and supported by the initiator of the IKE exchange. You should consult documentation for Cisco Easy VPN clients to determine their capabilities for this feature.
• Do not use this feature with Cisco Easy VPN software client versions 5.01 through 5.03 because their use could lead to problems. Versions earlier than version 5.01 are not impacted, and the issue has been addressed in versions later than version 5.03.
• This feature does not support fragmentation during aggressive mode, configuration mode, or quick mode.

The Fragmentation of IKE Packets feature provides for the fragmentation of large IKE packets into a series of smaller IKE packets to avoid fragmentation at the UDP layer (for example, for large certificate payloads or certificate request payloads).

The original IKE packet is checked for size against the minimum possible maximum transmission unit (MTU) size of 576 bytes and split into a series of smaller fragments. Each fragment is an individual IKE packet that has its own IKE header and is afforded the same protection as negotiated at the start of the IKE exchange.

A vendor_ID indicates the capability of the initiator to support IKE fragmentation. The Cisco IOS responder, if configured to support IKE fragmentation, responds with the same vendor_ID, thus acknowledging the capability to support IKE fragmentation if required.

The vendor_IDs are exchanged in the first two main-mode exchanges so that fragmentation of packets does not occur until at least the main mode 3 (MM3) exchange.

This feature provides support for Cisco IOS in terms of being a responder in an IKE main mode exchange.

After the capabilities have been agreed upon, fragmentation occurs automatically.

If all fragments in a series are not received within the normal course of the IKE exchanges, current IKE retransmission processes are used to request that information be resent.

Note	If an IKE packet is not greater than 576 bytes in size, the packet is not fragmented.

This feature is supported for IKE via port 500, IKE via port 4500 (NAT-T), and TCP wrappers.

After configuration, the feature is enabled on the router in global configuration mode so that all incoming IKE connection requests are possible candidates for fragmentation.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto isakmp fragmentation

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	crypto isakmp fragmentation Example: Router (config)# crypto isakmp fragmentation	Enables fragmentation of large IKE packets into a series of smaller IKE packets to avoid fragmentation at the UDP layer. Note    The crypto isakmp fragmentation command is only applicable when the IOS Router is acting as an Easy VPN server and the remote peer is a Cisco IPsec VPN client.